claudetools/clients/cascades-tucson/docs/migration/synology-permission-analysis-2026-04-22.md

Synology cascadesDS — Analysis + Migration Mapping (2026-04-22)

Inventory source: synology-permission-inventory.md (derived from synology-permission-inventory-raw.md) Purpose: Feed the Phase 4 (phase4-synology.md §6.0) permission migration — CS-SERVER NTFS/SMB applied via scripts/phase2-file-shares.ps1.

---

Headline observations

1. Shared-account / role-based logins exist on Synology

The following Synology user accounts are role names, not individuals. Each is a HIPAA §164.312(a)(2)(i) Unique User Identification problem on the Synology — multiple humans sharing one credential when accessing PHI-bearing shares:

• Accounting
• Dining Manager
• Front Desk
• mcnurse (Memory Care nurse)
• Memcare Receptionist
• memcarenurse
• Nurse Tower

These should not be carried forward to CS-SERVER. The CS-SERVER model is per-person named accounts (already Howard's 2026-04-22 rollout plan), so at cutover these shared logins disappear and their previously-assigned permissions migrate to the appropriate AD security group.

2. Departed employees still present on Synology

Per our AD state and the 2026-04-22 working list:

Synology user	Status
Amber M Lee	Not in AD or current roster — treat as departed
Ann Dery	Former employee (deleted from AD 2026-04-13)
Anna Pitzlin	Former employee (confirmed by HR, slated for deletion)
Britney Thompson	Departed 2026-04-22 per John's reply
Haris Durut	Former employee (deleted from AD 2026-04-13)
Monica RamirezRossette	Former employee (removed from Domain Admins 2026-03-09)
Nela Durut-Azizi	Former employee (already expired=yes on Synology)
Tamra Johnson	Renamed to Tamra Matthews; the Synology account is the old name

None of these carry forward. Delete after cutover.

3. Service/admin accounts to keep or retire

Account	Keep or retire
admin	Keep (DSM default; locked to administrators). Used only during maintenance.
guest	Already expired=yes. Leave disabled. HIPAA audit says remove; keep as-is for now.
guru	Keep (MSP / Computer Guru service account). Rotate password post-cutover.
CasAdmin201	Investigate — looks like a prior-MSP admin account. Has Admin rights on every share. Recommend disable + confirm with Meredith before deletion.
VPNClient	Synology VPN service account; narrow purpose. Keep as-is unless VPN feature is retired.

4. Four Synology groups, but only one is load-bearing for staff

• administrators — DSM admin group. Full control everywhere.
• http — Web-service group, not staff-facing.
• MainOffice — Appears to be a custom group for office staff. This is the one we need to translate into AD groups when migrating share access.
• users — Default membership (every local user is a member). Most share permissions grant modest rights to this group.

Group-member enumeration via the DSM API returned error 3201; full membership will need to be captured via DSM web UI (Control Panel → User & Group → Group → double-click → Members tab) or via CLI when SSH is enabled.

5. Sandra Fish share

There's a share named Sandra Fish — former director's personal folder. Has the same deny pattern as other shares. Decision needed: archive contents to Archive\Former-Director-Sandra-Fish\ on CS-SERVER and delete the share, or keep accessible only to Meredith as custodian until retention expires (state/HIPAA).

6. pacs share

pacs likely refers to a Picture Archiving and Communication System — medical imaging. Heavy deny pattern (most users denied by default). This is a HIPAA-clinical share. Worth confirming with Meredith what's actually in it before moving — if it's live imaging of residents, EncryptData is mandatory and access should narrow to Clinical-PHI group.

7. web, Activities, chat shares

• web — likely the DSM Web Station share. Mostly denied for users. Retire with Synology.
• Activities — Life Enrichment activity docs? Unclear. Meredith-confirm.
• chat — likely for DSM Chat. If unused (Teams is the planned chat per HIPAA doc), retire.

---

Synology → AD identity mapping

For the 2026-04-22 active roster, here is the proposed mapping. Use this to feed SG-* group memberships before phase2-file-shares.ps1 runs.

Synology user	AD identity (SamAccountName)	AD department
Ashley Jensen	Ashley.Jensen	Administrative
ChristinaDupras	Christina.DuPras	Resident Services
Crystal Rodriguez	Crystal.Rodriguez	Marketing
Crystal Suszek	(alias of Crystal Rodriguez — consolidate; no second AD account)	—
JD Martin	JD.Martin	Culinary
John Trozzi	John.Trozzi	Maintenance
Karen Rossini	karen.rossini	Care, Assisted Living
Lois Lane	Lois.Lane	Care, Assisted Living
Lupe Sanchez	Lupe.Sanchez	Housekeeping
Megan Hiatt	Megan.Hiatt	Marketing
meredith kuhn	Meredith.Kuhn	Administrative
Shelby Trozzi	Shelby.Trozzi	Memory Care
Susan Hicks	Susan.Hicks	Life Enrichment
Veronica	Veronica.Feller	Care, Assisted Living
Stephanie Devin	(not in AD — blocked in M365, former employee)	—

Not migrated: Amber M Lee, Ann Dery, Anna Pitzlin, Britney Thompson, Haris Durut, Monica RamirezRossette, Nela Durut-Azizi, Tamra Johnson. Plus all role accounts in observation #1.

---

Proposed AD security group → CS-SERVER share mapping

Mirror of the Synology pattern, collapsed onto the AD security groups we're creating in the rollout (see docs/cloud/user-account-rollout-plan.md §4). Individual user ACEs from Synology merge into the matching group.

Share	Who gets RW on CS-SERVER	Who gets RO	Notes
Management	SG-Management-RW = Administrative + Sales Director + Clinical Directors + Life Enrichment Director	Authenticated Users (RO)	Current Synology: deny-by-default, individual grants; clean slate on CS-SERVER with group-based
SalesDept	SG-Sales-RW = Megan, Crystal, Tamra, Lauren, Allison, Ashley	—	PHI concern (resident intake forms) — audit SACL required
Server	SG-Server-RW = Administrative + IT	—	IT / sysadmin scratch space
homes	Per-user only (CREATOR OWNER for new subfolders, Domain Users read on root)	—	Already the CS-SERVER pattern per phase2-server-prep.md
Public	Authenticated Users RW	—	Non-sensitive shared area
Culinary	SG-Culinary-RW = JD Martin, Ramon, Alyssa	—	Already created on CS-SERVER (per cs-server.md §SMB shares) — verify ACL
pacs	INVESTIGATE FIRST — clinical imaging; scope to SG-Clinical-PHI if confirmed + enable SMB3 encryption + SACL auditing	—	Critical PHI share; do not migrate until confirmed
Activities	TBD — ask Meredith	TBD	Life Enrichment?
chat, web	Do not migrate	—	Retire with Synology
Sandra Fish	Archive-only access for Meredith + IT	—	Former-director data; retention decision needed

---

Questions for Meredith / Howard before cutover

1. What is in pacs today? If it's medical imaging, we treat it as the highest-sensitivity share — strict ACL, SMB3 encryption, full Object Access audit SACL, dedicated SG-Clinical-PHI group.
2. What is in Activities? Life Enrichment docs? HIPAA-relevant (resident participation records)?
3. CasAdmin201 — who is/was this? Used today or legacy?
4. Is Meredith's Sandra Fish share something to archive long-term or purge?
5. chat — currently used? If not, confirm for retirement.

---

Next action items

• Walk through DSM Control Panel with Howard to capture the MainOffice group membership (API error 3201 blocked automated pull)
• Confirm with Meredith the content/use of pacs, Activities, chat, Sandra Fish
• Update docs/migration/scripts/phase2-file-shares.ps1 inputs with the mapping table above
• After CS-SERVER is migrated: disable Synology shared-account logins (Accounting, Front Desk, mcnurse, memcarenurse, Memcare Receptionist, Nurse Tower, Dining Manager) — HIPAA compliance cleanup
• After CS-SERVER is migrated: disable former-employee Synology accounts (Amber, Ann, Anna, Britney, Haris, Monica, Nela, Tamra)
• Reconfigure Synology as backup target per phase4-synology.md §6.4, retire it as a NAS